Networks generally fall into two categories. Intranetworks include individual computers and shared resources interconnected within a shared common network domain. Internetworks consist of interconnected intranetworks and geographically distributed computational resources which, when taken as a whole, comprise a unified set of loosely associated computers. Each separate component within an internetwork has a unique address. The Internet, for example, is a public internetwork interconnecting computers worldwide.
Structurally, most networks are based on a layered model employing a stack of standardized protocol layers. The Transmission Control Protocol/Internet Protocol (TCP/IP) suite, such as described in W. R. Stevens, “TCP/IP Illustrated,” Vol. 1, Ch. 1 et seq., Addison-Wesley (1994), the disclosure of which is incorporated by reference, is a widely adopted network model implementing protocol stacks including link, network, transport, and application protocol layers.
In particular, the Transmission Control Protocol (TCP) provides a connection-oriented, reliable, byte stream service. However, TCP-based networks are also particularly susceptible to denial of service (“DoS”) attacks. Ordinarily, TCP servers reserve state, such as memory buffers and ports, upon receiving a service request from a client during a communication session initiation. However, a state consumption DoS attack attempts to force a victim server to needlessly allocate and waste resources used to hold per-connection state information. The attacker sends a high volume of bogus service requests to the victim server, which continues to allocate resources for per-connection state until all available resources are utilized. No additional state is left to be allocated for valid requesters and service is denied. A distributed DoS (DDoS) attack occurs when the attacker engages compromised hosts to participate in the attack by also sending bogus service requests.
DoS attacks are difficult to detect because the bogus service requests are indistinguishable from normal network traffic. One form of DoS attack employs “spoofed” packet source addresses. TCP alone does not provide means for ensuring that packet source addresses are valid. Rather, upper layer protocols must be used in conjunction with TCP to guarantee that a packet originated from the host located at the source address specified in the packet header. Attackers take advantage of this security hole by sending bogus service request packets using fraudulent source addresses to disguise their identity. The fraudulent source addresses could be the address of another system or might be a source address that is valid yet not presently in use.
In the prior art, intermediary-based packet validation devices have been employed to counter spoofed DoS attacks. These devices include conventional firewalls and proxy firewalls which are situated between a protected network domain or servers and potential attackers. In one form, these devices filter packets by applying validation rules. The source addresses of incoming packets are compared to parameterized lists of individual addresses for “bad” hosts. A “bad” host is a server which either originated a bogus service request or caused a bogus service request to be sent using a fraudulent source address.
Packet validation devices are typically deployed in two configurations. In a parallel configuration, a plurality of devices commonly protect a shared network enclave or server farm having a shared network domain. A parallel configuration could be found in, for instance, a multi-pathed server environment. A serial configuration occurs where packet validation devices are deployed at various network points, including within an intranetwork and throughout an internetwork. Serial devices do not share common network domains.
Both parallel- and serially-configured packet validation devices operate independently of each other. No communication channel interfacing the various devices exists. Consequently, while any given device may independently detect and respond to a DoS attack, the knowledge of the attack, in particular, the parameters identifying the bad host address, are not shared with other devices.
The lack of intercommunications between packet validation devices introduces additional delays in packet transfer and can adversely affect network performance. For instance, each device implements a finite amount of table space in which to list bad hosts. The table space can become saturated and the reallocation of additional space can cause delays. As well, propagation delays can occur through the serialization of sequential devices where each device checks and rechecks packet traffic against their own individual parametized lists of bad hosts. In addition, when one of the parallel devices actually validates packets originating from a given source, traffic originating from that same validated host must either undergo re-validation with the peer devices or risk being dropped as un-validated traffic.
Therefore, there is a need for an efficient communication structure for providing inter-packet validation device communications. Preferably, such an approach would coalesce validation rules received from individual devices to generate a condensed list of validation rule parameters.
There is a further need for an approach to improving the response time for handling spoofed DoS attacks. Preferably, such an approach would provide shared information between devices to avoid unnecessary delays, revalidations, and packet disposals.